Re: [fw-wiz] [OT] tcpdump parsing

From: hermit921 (hermit921_at_yahoo.com)
Date: 10/13/03

Next message: Debian User: "[fw-wiz] Link level security with static arp tables"

Previous message: Ofir Arkin: "[fw-wiz] Tool Release: Xprobe2 0.2"
In reply to: Paul Robertson: "Re: [fw-wiz] [OT] tcpdump parsing"
Next in thread: Damian Gerow: "[fw-wiz] Spamming, 'hidden' mail server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Mon, 13 Oct 2003 08:39:07 -0700

I have found external scans of Windows machines to have decreasing
usefulness. Netstat commands on suspicious W2K systems usually show open
ports that a complete external nmap scan does not show as open.

hermit921

At 03:29 PM 10/8/2003, Paul Robertson wrote:
>On Wed, 8 Oct 2003, Damian Gerow wrote:
>
> > I've done some other digging, and have found out that about 99% of my dump
> > is between ports 25 and 32101. Now I just have to figure out why/how
> people
> > are connecting to 32101, as a full port scan of the computer has turned up
> > nothing but the standard Windows ports listening, three different times.
>
>You might want to look at the IE bugs that have recently been exploited,
>assuming the machines are Win* based. Checking browser caches and
>histories may yield useful stuff, as will looking for mapped drive shares
>(most Win* worms these days will do the share thing if they can.)
>
> > Since this has moved far and beyond the scope of the list, I'll refrain
> from
> > posting anything else.
>
>No fair, we wanna know what it was!
>
>Paul
>-----------------------------------------------------------------------------
>Paul D. Robertson "My statements in this message are personal opinions
>proberts@patriot.net which may have no basis whatsoever in fact."
>probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Debian User: "[fw-wiz] Link level security with static arp tables"

Previous message: Ofir Arkin: "[fw-wiz] Tool Release: Xprobe2 0.2"
In reply to: Paul Robertson: "Re: [fw-wiz] [OT] tcpdump parsing"
Next in thread: Damian Gerow: "[fw-wiz] Spamming, 'hidden' mail server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]